I know it is hard to believe but I have spent years working on HIPAA Security Risk Assessments. I have conducted assessment, created tools to facilitate the work and even policies to facilitate the transition from the HIPAA Security Risk Assessment to the HIPAA Security Risk Management phase.
I have also spent quite a significant amount of time with Meaningful Use and facilitating attestation for Covered Entities. The process as I found out could be quite smooth in a perfect world but; who lives in a perfect world?
Based on a study published in Medical Care, A National Study of Challenges to Electronic Health Record Adoption and Meaningful Use by Dawn Heisey-Grove, MPH, Lisa-Nicole Danehy, MHS, Michelle Consolazio, MPA, Kimberly Lynch, MPH, and Farzad Mostashari, MD, ScM, lww-medicalcare.com, one of the biggest challenges encountered by Providers is the security risk analysis.
I actually have encountered several interpretation of security risk analysis and as I admitted, even I have to change my own risk analysis with time. However most of what I have seen does not meet the regulatory requirements of HIPAA Security. Even worst is the fact that many Covered Entities have attested to Meaningful Use and when asked about the Security Risk Assessment simply answered yes without giving it a second thought. My problems with this practice are as follows:
a. Remember that under the Omnibus Rule Business Associates must follow this requirement as well.
a. Answering Yes without actually having met this requirement may be considered fraud.
a. Whether you miss one or all requirements the interpretation by the auditors is the same; you didn’t meet meaningful requirements and therefore must return all incentive monies.
So, since we know this is and will continue to be an issue, we decided to develop a couple of initiatives to help our peers.
In Summary, we know conducting a Security Risk Assessment is not an easy task yet remember that if you are going to play the game you must follow the rules.